#
ac49152e |
| 19-Apr-2024 |
Daniel Stenberg |
http_aws_sigv4: remove useless assignment This code assigned the variable the same value it already had Spotted by CodeSonar Closes #13426
|
#
ff74cef5 |
| 11-Dec-2023 |
Daniel Stenberg |
lib: reduce use of strncpy - bearssl: select cipher without buffer copies - http_aws_sigv4: avoid strncpy, require exact timestamp length - http_aws_sigv4: use memcpy isntead of strn
lib: reduce use of strncpy - bearssl: select cipher without buffer copies - http_aws_sigv4: avoid strncpy, require exact timestamp length - http_aws_sigv4: use memcpy isntead of strncpy - openssl: avoid strncpy calls - schannel: check for 1.3 algos without buffer copies - strerror: avoid strncpy calls - telnet: avoid strncpy, return error on too long inputs - vtls: avoid strncpy in multissl_version() Closes #12499
show more ...
|
#
bbba69da |
| 01-Nov-2023 |
Harry Mallon |
http_aws_sigv4: canonicalise valueless query params Fixes #8107 Closes #12244
|
#
91878ebe |
| 29-Sep-2023 |
Daniel Stenberg |
lib: provide and use Curl_hexencode Generates a lower case ASCII hex output from a binary input. Closes #11990
|
#
c8792035 |
| 16-Sep-2023 |
Dan Fandrich |
http_aws_sigv4: fix sorting with empty parts When comparing with an empty part, the non-empty one is always considered greater-than. Previously, the two would be considered equal whi
http_aws_sigv4: fix sorting with empty parts When comparing with an empty part, the non-empty one is always considered greater-than. Previously, the two would be considered equal which would randomly place empty parts amongst non-empty ones. This showed as a test 439 failure on Solaris as it uses a different implementation of qsort() that compares parts differently. Fixes #11855 Closes #11868
show more ...
|
#
b5c65f8b |
| 12-Aug-2023 |
Jay Satiro |
http_aws_sigv4: handle no-value user header entries - Handle user headers in format 'name:' and 'name;' with no value. The former is used when the user wants to remove an internal l
http_aws_sigv4: handle no-value user header entries - Handle user headers in format 'name:' and 'name;' with no value. The former is used when the user wants to remove an internal libcurl header and the latter is used when the user actually wants to send a no-value header in the format 'name:' (note the semi-colon is converted by libcurl to a colon). Prior to this change the AWS header import code did not special case either of those and the generated AWS SignedHeaders would be incorrect. Reported-by: apparentorder@users.noreply.github.com Ref: https://curl.se/docs/manpage.html#-H Fixes https://github.com/curl/curl/issues/11664 Closes https://github.com/curl/curl/pull/11668
show more ...
|
#
a1532a33 |
| 10-Sep-2023 |
Daniel Stenberg |
aws_sigv4: the query canon code miscounted URL encoded input Added some extra ampersands to test 439 to verify "blank" query parts Follow-up to fc76a24c53b08cdf Closes #118
aws_sigv4: the query canon code miscounted URL encoded input Added some extra ampersands to test 439 to verify "blank" query parts Follow-up to fc76a24c53b08cdf Closes #11829
show more ...
|
#
16bdc09e |
| 08-Sep-2023 |
Daniel Stenberg |
http_aws_sigv4: skip the op if the query pair is zero bytes Follow-up to fc76a24c53b08cdf Spotted by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=621
http_aws_sigv4: skip the op if the query pair is zero bytes Follow-up to fc76a24c53b08cdf Spotted by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175 Closes #11823
show more ...
|
#
fc76a24c |
| 06-Sep-2023 |
Daniel Stenberg |
http_aws_sigv4: canonicalize the query Percent encoding needs to be done using uppercase, and most non-alphanumerical must be percent-encoded. Fixes #11794 Reported-by: John
http_aws_sigv4: canonicalize the query Percent encoding needs to be done using uppercase, and most non-alphanumerical must be percent-encoded. Fixes #11794 Reported-by: John Walker Closes #11806
show more ...
|
#
e92edfbe |
| 20-Jul-2023 |
Wyatt O'Day |
lib: add ability to disable auths individually Both with configure and cmake Closes #11490
|
#
b8dabfb1 |
| 01-Sep-2023 |
Daniel Stenberg |
awssiv4: avoid freeing the date pointer on error Since it was not allocated, don't free it even if it was wrong syntax Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=619
awssiv4: avoid freeing the date pointer on error Since it was not allocated, don't free it even if it was wrong syntax Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61908 Follow-up to b137634ba3adb Closes #11782
show more ...
|
#
b137634b |
| 28-Aug-2023 |
Matthias Gatto |
lib: fix aws-sigv4 having date header twice in some cases When the user was providing the header X-XXX-Date, the header was re-added during signature computation, and we had it twice in
lib: fix aws-sigv4 having date header twice in some cases When the user was providing the header X-XXX-Date, the header was re-added during signature computation, and we had it twice in the request. Reported-by: apparentorder@users.noreply.github.com Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com> Fixes: https://github.com/curl/curl/issues/11738 Closes: https://github.com/curl/curl/pull/11754
show more ...
|
#
d567cca1 |
| 27-Apr-2023 |
Daniel Stenberg |
checksrc: fix SPACEBEFOREPAREN for conditions starting with "*" The open paren check wants to warn for spaces before open parenthesis for if/while/for but also for any function call. In
checksrc: fix SPACEBEFOREPAREN for conditions starting with "*" The open paren check wants to warn for spaces before open parenthesis for if/while/for but also for any function call. In order to avoid catching function pointer declarations, the logic allows a space if the first character after the open parenthesis is an asterisk. I also spotted what we did not include "switch" in the check but we should. This check is a little lame, but we reduce this problem by not allowing that space for if/while/for/switch. Reported-by: Emanuele Torre Closes #11044
show more ...
|
#
18a45a51 |
| 14-Mar-2023 |
Daniel Stenberg |
http_aws_sigv4: fix scan-build "value stored to 'ret' is never read" Follow-up to 495d09810aa9a Closes #10766
|
#
495d0981 |
| 15-Feb-2023 |
Casey Bodley |
aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 all s3 requests default to UNSIGNED-PAYLOAD and add the required x-amz-content-sha256 header. this allows CURLAUTH_AWS_SIGV4 to co
aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 all s3 requests default to UNSIGNED-PAYLOAD and add the required x-amz-content-sha256 header. this allows CURLAUTH_AWS_SIGV4 to correctly sign s3 requests to amazon with no additional configuration Signed-off-by: Casey Bodley <cbodley@redhat.com> Closes #9995
show more ...
|
#
97f7f668 |
| 02-Feb-2023 |
Kvarec Lezki |
http_aws_sigv4: remove typecasts from HMAC_SHA256 macro V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize. https://pvs-studio.com/en/docs/warnings/v2
http_aws_sigv4: remove typecasts from HMAC_SHA256 macro V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize. https://pvs-studio.com/en/docs/warnings/v220/ Closes #10400
show more ...
|
#
2bc1d775 |
| 02-Jan-2023 |
Daniel Stenberg |
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - save
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
show more ...
|
#
b8ffb02e |
| 30-Nov-2022 |
Baitinq on github |
aws_sigv4: fix typos in aws_sigv4.c Closes #10008
|
#
7f8e6da6 |
| 25-Oct-2022 |
Casey Bodley |
aws_sigv4: consult x-%s-content-sha256 for payload hash `Curl_output_aws_sigv4()` doesn't always have the whole payload in memory to generate a real payload hash. this commit allows the
aws_sigv4: consult x-%s-content-sha256 for payload hash `Curl_output_aws_sigv4()` doesn't always have the whole payload in memory to generate a real payload hash. this commit allows the user to pass in a header like `x-amz-content-sha256` to provide their desired payload hash some services like s3 require this header, and may support other values like s3's `UNSIGNED-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD` with special semantics. servers use this header's value as the payload hash during signature validation, so it must match what the client uses to generate the signature CURLOPT_AWS_SIGV4.3 now describes the content-sha256 interaction Signed-off-by: Casey Bodley <cbodley@redhat.com> Closes #9804
show more ...
|
#
279834dd |
| 24-Oct-2022 |
Daniel Stenberg |
misc: remove duplicated include files Closes #9796
|
#
57ba1dd5 |
| 12-Oct-2022 |
Daniel Stenberg |
http_aws_sigv4: fix strlen() check The check was off-by-one leading to buffer overflow. Follow-up to 29c4aa00a16872 Detected by OSS-Fuzz Closes #9714
|
#
29c4aa00 |
| 13-Jan-2022 |
Matthias Gatto |
aws_sigv4: fix header computation Handle canonical headers and signed headers creation as explained here: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.htm
aws_sigv4: fix header computation Handle canonical headers and signed headers creation as explained here: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html The algo tells that signed and canonical must contain at last host and x-amz-date. So we check whatever thoses are present in the curl http headers list. If they are, we use the one enter by curl user, otherwise we generate them. then we to lower, and remove space from each http headers plus host and x-amz-date, then sort them all by alphabetical order. This patch also fix a bug with host header, which was ignoring the port. Closes #7966
show more ...
|
#
4d4c2274 |
| 01-Jul-2022 |
Daniel Stenberg |
http_aws_sigv4.c: remove two unusued includes Closes #9080
|
#
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
show more ...
|
#
37f892fb |
| 11-May-2022 |
Daniel Gustafsson |
aws-sigv4: fix potentional NULL pointer arithmetic We need to check if the strchr() call returns NULL (due to missing char) before we use the returned value in arithmetic. There is no
aws-sigv4: fix potentional NULL pointer arithmetic We need to check if the strchr() call returns NULL (due to missing char) before we use the returned value in arithmetic. There is no live bug here, but fixing it before it can become for hygiene. Closes: #8814 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
show more ...
|